From d91d2ceaf89457e257bfe585e6e45e4df0369d80 Mon Sep 17 00:00:00 2001
From: nsimons <nsimons@users.noreply.github.com>
Date: Mon, 6 Mar 2023 22:09:45 +0200
Subject: [PATCH] Fix cubbyhole and token revocation for legacy service tokens
 (#19416)

* Fix cubbyhole and revocation for legacy service tokens

Legacy service tokens generated in Vault 1.10+ with env var
VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS=true are not assigned
a cubbyhole ID. The implication is that cubbyhole/ cannot be
used, nor can the tokens be revoked.

This commit assigns a cubbyhole ID to these tokens and adds
a new test case to see that cubbyhole and revocation works correctly.

* add changelog

* add godoc to test cases
---
 changelog/19416.txt       |  3 +++
 vault/token_store.go      |  2 +-
 vault/token_store_test.go | 14 ++++++++++++++
 3 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 changelog/19416.txt

diff --git a/changelog/19416.txt b/changelog/19416.txt
new file mode 100644
index 000000000..f2a7d3275
--- /dev/null
+++ b/changelog/19416.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/token: Fix cubbyhole and revocation for legacy service tokens
+```
diff --git a/vault/token_store.go b/vault/token_store.go
index 8edd0e37f..b6d78c30f 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -1105,7 +1105,7 @@ func (ts *TokenStore) create(ctx context.Context, entry *logical.TokenEntry) err
 			entry.ID = fmt.Sprintf("%s.%s", entry.ID, tokenNS.ID)
 		}
 
-		if tokenNS.ID != namespace.RootNamespaceID || strings.HasPrefix(entry.ID, consts.ServiceTokenPrefix) {
+		if tokenNS.ID != namespace.RootNamespaceID || strings.HasPrefix(entry.ID, consts.ServiceTokenPrefix) || strings.HasPrefix(entry.ID, consts.LegacyServiceTokenPrefix) {
 			if entry.CubbyholeID == "" {
 				cubbyholeID, err := base62.Random(TokenLength)
 				if err != nil {
diff --git a/vault/token_store_test.go b/vault/token_store_test.go
index 5d5a2642f..3a41e704e 100644
--- a/vault/token_store_test.go
+++ b/vault/token_store_test.go
@@ -50,8 +50,22 @@ func TestTokenStore_CreateOrphanResponse(t *testing.T) {
 	}
 }
 
+// TestTokenStore_CubbyholeDeletion tests that a token's cubbyhole
+// can be used and that the cubbyhole is removed after the token is revoked.
 func TestTokenStore_CubbyholeDeletion(t *testing.T) {
 	c, _, root := TestCoreUnsealed(t)
+	testTokenStore_CubbyholeDeletion(t, c, root)
+}
+
+// TestTokenStore_CubbyholeDeletionSSCTokensDisabled tests that a legacy token's
+// cubbyhole can be used, and that the cubbyhole is removed after the token is revoked.
+func TestTokenStore_CubbyholeDeletionSSCTokensDisabled(t *testing.T) {
+	c, _, root := TestCoreUnsealed(t)
+	c.disableSSCTokens = true
+	testTokenStore_CubbyholeDeletion(t, c, root)
+}
+
+func testTokenStore_CubbyholeDeletion(t *testing.T, c *Core, root string) {
 	ts := c.tokenStore
 
 	for i := 0; i < 10; i++ {